Master Intranet Penetration: NPS, FRP, EW, and Ngrok Explained

1. NPS‑NPC

1.1 Overview

NPS is a lightweight, high‑performance, feature‑rich intranet‑penetration proxy server that currently supports TCP and UDP traffic forwarding, allowing any upper‑layer protocol (web access, local payment interface debugging, SSH, RDP, internal DNS resolution, etc.). It also supports internal HTTP proxy, SOCKS5 proxy, P2P, and provides a powerful web management console.

A public‑IP server (VPS) runs the NPS server component.

One or more internal servers or PCs run the NPC client component.

1.2 Features

Written in Go.

Cross‑platform.

Supports multiple proxy protocols.

Web management interface.

1.3 Installation

Download releases from GitHub .

1.4 NPS Server Configuration

Installation & Setup

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

Edit conf/nps.conf to set the web management parameters:

web_host= <em>Server IP or domain</em>
web_username= admin
web_password= <em>Your password</em>
web_port=8080

Modify the #bridge section to change the NPC connection port (e.g., 443) if the server only allows limited outbound ports.

##bridge
bridge_type=tcp
bridge_port=443   # modify connection port
bridge_ip=0.0.0.0

Start NPS

# Mac/Linux
./nps test|start|stop|restart|status
# Windows
nps.exe test|start|stop|restart|status

1.5 NPC Client

./npc -server=YourIP:8024 -vkey=UniquePassword -type=tcp

After creating a client, you can add it via the web UI; each client has a unique vkey.

1.6 Web Management

Through the UI you can add clients, create multiple protocol tunnels per client, and expose internal services via different ports and protocols.

2. FRP

2.1 Overview

FRP is a high‑performance reverse proxy focused on intranet penetration, supporting TCP, UDP, HTTP, HTTPS, and more. It forwards internal services to the public internet via a public‑IP node.

2.2 Features

Client‑server communication supports TCP, KCP, and WebSocket.

Port reuse allows multiple services to share a single server port.

Cross‑platform (slightly fewer protocols than NPS).

Pluggable architecture provides many additional functions.

2.3 Usage

Download from GitHub .

RDP Access

Edit frps.ini to set a token for authentication.

[common]
bind_port = 7000
token = abcdefgh

Start the server: ./frps -c ./frps.ini Edit frpc.ini (example for RDP):

[common]
server_addr = x.x.x.x
server_port = 7000
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start the client: ./frpc -c ./frpc.ini Connect via x.x.x.x:6000.

SSH Access

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

Connect with ssh -oPort=6000 [email protected].

Custom Domain Web Service

# frps.ini
[common]
bind_port = 7000
vhost_http_port = 8080
token = abcdefgh

# frpc.ini
[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com

Point the domain A record to the server IP and access http://www.yourdomain.com:8080.

Static File Service

[test_static_file]
type = tcp
remote_port = 6000
plugin = static_file
plugin_local_path = /tmp/file
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

Browse http://x.x.x.x:6000/static/ to retrieve files.

Common Functions

Dashboard

Enable by adding dashboard_port = 7500 and credentials in frps.ini, then visit http://[server_addr]:7500.

Encryption & Compression

Set use_encryption = true and/or use_compression = true in the proxy section to secure and compress traffic.

TLS

From v0.25.0, enable TLS by adding tls_enable = true under [common] in frpc.ini.

Bandwidth Limiting

[ssh]
bandwidth_limit = 1MB

Port Range Mapping

[range:test_tcp]
type = tcp
local_ip = 127.0.0.1
local_port = 6000-6006,6007
remote_port = 6000-6006,6007

3. EW (EarthWorm)

3.1 Overview

EW is a portable network‑penetration tool written in C, offering SOCKS5 proxy and port‑forwarding capabilities. It is no longer maintained.

3.2 Features

Lightweight, C‑based.

Supports multi‑level proxy chaining.

Cross‑platform.

Only supports SOCKS5.

3.3 Usage

All examples assume the default SOCKS5 port 1080.

# Forward SOCKS5 server
./ew -s ssocksd -l 1080

# Reverse SOCKS5 server (two‑step)
# On public host A
./ew -s rcsocks -l 1080 -e 8888
# On target host B
./ew -s rssocks -d 1.1.1.1 -e 8888

# Multi‑level chaining examples
./ew -s lc x_listen -l 1080 -e 8888
./ew -s lc x_tran -l 1080 -f 127.0.0.1 -g 9999
./ew -s lc x_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

4. Ngrok

4.1 Overview

Ngrok is a reverse proxy that creates a secure tunnel between a public endpoint and a locally running web server, exposing internal services to the internet and providing traffic inspection and replay.

4.2 Features

Officially maintained, generally stable.

Cross‑platform, closed‑source.

Traffic logging and replay.

4.3 Usage

Register on ngrok.com and download the binary.

Authorize with your token: ./ngrok authtoken YOUR_TOKEN Expose a local HTTP service: ./ngrok http 80 Optional file sharing:

ngrok http -auth="user:password" file:///Users/alan/share

ngrok http "file:///C:\Users\alan\Public Folder"

Expose RDP (TCP 3389): ngrok tcp 3389 More details at ngrok documentation .

5. Reference Links

https://xz.aliyun.com/t/770

https://segmentfault.com/a/119000002187683

http://rootkiter.com/EarthWorm/